]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
2 | // vim: ts=8 sw=2 smarttab | |
3 | /* | |
4 | * Ceph - scalable distributed file system | |
5 | * | |
6 | * Copyright (C) 2004-2006 Sage Weil <sage@newdream.net> | |
7 | * | |
8 | * This is free software; you can redistribute it and/or | |
9 | * modify it under the terms of the GNU Lesser General Public | |
10 | * License version 2.1, as published by the Free Software | |
11 | * Foundation. See file COPYING. | |
12 | * | |
13 | * OSDCaps: Hold the capabilities associated with a single authenticated | |
14 | * user key. These are specified by text strings of the form | |
15 | * "allow r" (which allows reading anything on the OSD) | |
16 | * "allow rwx auid foo" (which allows full access to listed auids) | |
17 | * "allow rwx pool foo" (which allows full access to listed pools) | |
18 | * "allow *" (which allows full access to EVERYTHING) | |
19 | * | |
20 | * The full grammar is documented in the parser in OSDCap.cc. | |
21 | * | |
22 | * The OSD assumes that anyone with * caps is an admin and has full | |
23 | * message permissions. This means that only the monitor and the OSDs | |
24 | * should get * | |
25 | */ | |
26 | ||
27 | #ifndef CEPH_OSDCAP_H | |
28 | #define CEPH_OSDCAP_H | |
29 | ||
30 | #include <ostream> | |
31 | using std::ostream; | |
32 | ||
33 | #include "include/types.h" | |
34 | #include "OpRequest.h" | |
35 | ||
36 | static const __u8 OSD_CAP_R = (1 << 1); // read | |
37 | static const __u8 OSD_CAP_W = (1 << 2); // write | |
38 | static const __u8 OSD_CAP_CLS_R = (1 << 3); // class read | |
39 | static const __u8 OSD_CAP_CLS_W = (1 << 4); // class write | |
40 | static const __u8 OSD_CAP_X = (OSD_CAP_CLS_R | OSD_CAP_CLS_W); // execute | |
41 | static const __u8 OSD_CAP_ANY = 0xff; // * | |
42 | ||
43 | struct osd_rwxa_t { | |
44 | __u8 val; | |
45 | ||
46 | // cppcheck-suppress noExplicitConstructor | |
47 | osd_rwxa_t(__u8 v = 0) : val(v) {} | |
48 | osd_rwxa_t& operator=(__u8 v) { | |
49 | val = v; | |
50 | return *this; | |
51 | } | |
52 | operator __u8() const { | |
53 | return val; | |
54 | } | |
55 | }; | |
56 | ||
31f18b77 | 57 | ostream& operator<<(ostream& out, const osd_rwxa_t& p); |
7c673cae FG |
58 | |
59 | struct OSDCapSpec { | |
60 | osd_rwxa_t allow; | |
61 | std::string class_name; | |
62 | std::string class_allow; | |
63 | ||
64 | OSDCapSpec() : allow(0) {} | |
65 | explicit OSDCapSpec(osd_rwxa_t v) : allow(v) {} | |
66 | explicit OSDCapSpec(std::string n) : allow(0), class_name(std::move(n)) {} | |
67 | OSDCapSpec(std::string n, std::string a) : | |
68 | allow(0), class_name(std::move(n)), class_allow(std::move(a)) {} | |
69 | ||
70 | bool allow_all() const { | |
71 | return allow == OSD_CAP_ANY; | |
72 | } | |
73 | }; | |
74 | ||
75 | ostream& operator<<(ostream& out, const OSDCapSpec& s); | |
76 | ||
77 | ||
78 | struct OSDCapMatch { | |
79 | // auid and pool_name/nspace are mutually exclusive | |
80 | int64_t auid; | |
81 | std::string pool_name; | |
82 | bool is_nspace; // true if nspace is defined; false if not constrained. | |
83 | std::string nspace; | |
84 | ||
85 | std::string object_prefix; | |
86 | ||
87 | OSDCapMatch() : auid(CEPH_AUTH_UID_DEFAULT), is_nspace(false) {} | |
88 | OSDCapMatch(std::string pl, std::string pre) : | |
89 | auid(CEPH_AUTH_UID_DEFAULT), pool_name(pl), is_nspace(false), object_prefix(pre) {} | |
90 | OSDCapMatch(std::string pl, std::string ns, std::string pre) : | |
91 | auid(CEPH_AUTH_UID_DEFAULT), pool_name(pl), is_nspace(true), nspace(ns), object_prefix(pre) {} | |
92 | OSDCapMatch(uint64_t auid, std::string pre) : auid(auid), is_nspace(false), object_prefix(pre) {} | |
93 | ||
94 | /** | |
95 | * check if given request parameters match our constraints | |
96 | * | |
97 | * @param pool_name pool name | |
98 | * @param nspace_name namespace name | |
99 | * @param pool_auid pool's auid | |
100 | * @param object object name | |
101 | * @return true if we match, false otherwise | |
102 | */ | |
103 | bool is_match(const std::string& pool_name, const std::string& nspace_name, int64_t pool_auid, const std::string& object) const; | |
104 | bool is_match_all() const; | |
105 | }; | |
106 | ||
107 | ostream& operator<<(ostream& out, const OSDCapMatch& m); | |
108 | ||
109 | ||
110 | struct OSDCapGrant { | |
111 | OSDCapMatch match; | |
112 | OSDCapSpec spec; | |
113 | ||
114 | OSDCapGrant() {} | |
115 | OSDCapGrant(OSDCapMatch m, OSDCapSpec s) : match(m), spec(s) {} | |
116 | }; | |
117 | ||
118 | ostream& operator<<(ostream& out, const OSDCapGrant& g); | |
119 | ||
120 | ||
121 | struct OSDCap { | |
122 | std::vector<OSDCapGrant> grants; | |
123 | ||
124 | OSDCap() {} | |
125 | explicit OSDCap(std::vector<OSDCapGrant> g) : grants(std::move(g)) {} | |
126 | ||
127 | bool allow_all() const; | |
128 | void set_allow_all(); | |
129 | bool parse(const std::string& str, ostream *err=NULL); | |
130 | ||
131 | /** | |
132 | * check if we are capable of something | |
133 | * | |
134 | * This method actually checks a description of a particular operation against | |
135 | * what the capability has specified. Currently that is just rwx with matches | |
136 | * against pool, pool auid, and object name prefix. | |
137 | * | |
138 | * @param pool_name name of the pool we are accessing | |
139 | * @param ns name of the namespace we are accessing | |
140 | * @param pool_auid owner of the pool we are accessing | |
141 | * @param object name of the object we are accessing | |
142 | * @param op_may_read whether the operation may need to read | |
143 | * @param op_may_write whether the operation may need to write | |
144 | * @param classes (class-name, rd, wr, whitelisted-flag) tuples | |
145 | * @return true if the operation is allowed, false otherwise | |
146 | */ | |
147 | bool is_capable(const string& pool_name, const string& ns, int64_t pool_auid, | |
148 | const string& object, bool op_may_read, bool op_may_write, | |
149 | const std::vector<OpRequest::ClassInfo>& classes) const; | |
150 | }; | |
151 | ||
152 | static inline ostream& operator<<(ostream& out, const OSDCap& cap) | |
153 | { | |
154 | return out << "osdcap" << cap.grants; | |
155 | } | |
156 | ||
157 | #endif |